Telenor Connexion VPN
Product Specification

1. PRODUCT OVERVIEW

A Virtual Private Network (VPN) provides a secure connection through the internet between the customer data center and the Telenor Connexion IoT platform. To ensure geographical redundancy, the Telenor Connexion IoT platform consists of two sites, a primary Site (Site 1) and a secondary Site (Site 2). The sites are seamlessly connected with the Telenor Connexion Core Network and are interconnected for geographical redundancy.

1.1 VPN End-Point

The customer needs to set up end-point(s) for the VPN tunnels in the customer data center. There are two options for the end-points:

Telenor Connexion provided router(s) that is ready to be plugged in

Customer provided end-point, for example a firewall or a router.

In both cases, Internet Protocol Security (IPsec) is used to transfer traffic from Site 1 and Site 2 to the end-point(s). The customer is responsible for connecting the end-point(s) in the customer data center in both cases.

1.2 VPN Security

All routing protocols transfer the data securely with Internet Protocol Security (IPsec).

1.2.1 Static Routing

If static routing is chosen, no routing protocol will be used.

1.2.2 BGP VPN Tunnels

If BGP is used as the routing protocol, Exterior Border Gateway Protocol (eBGP) shares the routing information through IPsec VPN tunnels.

1.2.3 OSPF VPN Tunnels

If OSPF is used as the routing protocol, virtual interfaces (VTI) or generic routing encapsulation (GRE) are supported to route the OSPF traffic over the IPsec VPN tunnels.

1.3 Telenor Connexion provided End-Point

If the customer chooses a Telenor Connexion provided end-point, Telenor Connexion is responsible for configuring and shipping the router(s) to the customer. The customer is responsible for the setup within the customer data center, such as connecting the router to a firewall.

1.3.1 Single VPN

In a single VPN setup with Telenor Connexion provided end-point, the customer connects to the Telenor Connexion IoT platform using one customer end-point and one VPN tunnel to each Site. Figure 1 shows an overview of a single VPN setup with Telenor Connexion provided end-point.

Figure 1. Overview of single VPN setup with Telenor Connexion provided end-point.

1.3.2 Redundant VPN

In a redundant VPN setup with Telenor Connexion provided end-points, the customer connects to the Telenor Connexion IoT platform using two VPN tunnels and two end-points at the customer data-center. Figure 2. Overview of redundant VPN setup with Telenor Connexion provided end-points.

Figure 2. Overview of redundant VPN setup with Telenor Connexion provided end-points.

1.4 Customer provided End-Point

If the customer choose to use customer provided end-point(s), the customer is responsible for configuring the end-point. The VPN can be setup as a single VPN or a redundant VPN. A single VPN is connected to one customer end-point, and redundant VPN uses two customer end-points.

With customer provided end-point(s), it is possible for the customer to choose between the following routing protocols:

  • Static Routing
  • Open Shortest Path First (OSPF)
  • Border Gateway Protocol (BGP)

Table 1 shows a summary of the available setups.

Table 1. Available routing protocols for VPN with Customer provided end-point.

1.4.1 Single VPN

In a single VPN setup with customer provided end-point, the customer connects to the Telenor Connexion IoT platform using one customer end-point and one VPN tunnel to each Site. Figure 3. Overview of a Single VPN setup with customer provided end-point.


Figure 3.Overview of a Single VPN setup with customer provided end-point.

1.4.2 Single VPN with Static Routing

In a single VPN with Static Routing, the customer connects to Telenor Connexion sites using a static route. The primary VPN tunnel connects to Site 1 and the secondary VPN tunnel connects to Site 2. Figure 4 shows the primary path when using single VPN and Static Routing.


Figure 4. Primary path for traffic for single VPN using Static Routing.

If the primary tunnel fails, traffic will be routed via Telenor Connexion Backbone and the secondary VPN tunnel will be used, see Figure 5.


Figure 5. Traffic path in case of primary VPN tunnel failure for single VPN using Static Routing.

If Site 1 fails, the traffic is sent over Site 2 and through the secondary VPN tunnel, see Figure 6.


Figure 6. Traffic path in case of Site 1 failure for single VPN using Static Routing.

1.4.3 Single VPN with OSPF

In a single VPN OSPF setup, the customer connects to the Telenor Connexion sites using two IPsec VPN tunnels. The primary VPN tunnel connects to Site 1, while the secondary VPN tunnel connects to Site 2. Preferably, the traffic is sent over the primary VPN tunnel, see Figure 7.


Figure 7. Primary path for traffic when using single VPN using OSPF.

If the primary tunnel fails, OSPF redirects the traffic to the secondary VPN tunnel via the Telenor Connexion Backbone Network, see Figure 8


Figure 8. Traffic path in case of primary VPN tunnel failure for single VPN using OSPF

If Site 1 fails, OSPF redirects the traffic over Site 2 and through the secondary VPN tunnel, see Figure 9.


Figure 9. Traffic path in case of Site1 failure for single VPN using OSPF.

1.4.4 Single VPN with BGP

In a single VPN BGP setup, the customer connects to the Telenor Connexion sites using two IPsec VPN tunnels. The primary VPN tunnel connects to Site 1, while the secondary VPN tunnel connects to Site 2. Preferably, the traffic is sent over the primary VPN tunnel, see Figure 10.


Figure 10. Primary path for traffic when using single VPN using BGP.

If the primary tunnel fails, BGP redirects the traffic to the secondary tunnel via the Telenor Connexion Backbone, see Figure 13.


Figure 11. Traffic path in case of Primary VPN tunnel failure using BGP.

If Site 1 fails, BGP redirects the traffic via Site 2 and through the secondary VPN tunnel, see Figure 12.

Figure 12. Traffic path in case of Site 1 failure using BGP.

1.4.5 Redundant VPN

In a redundant VPN setup, the customer connects to the Telenor Connexion IoT platform using two VPN tunnels and two end-points at the customer data center. Intra-Site redundancy is used in Telenor Connexion IoT platform between Site1 and Site 2. This should also be set up by the customer between the customers’ two end-points, see Figure 13.


Figure 13. Overview of redundant VPN setup with two end-points at customer data center.

1.4.6 Redundant VPN with OSPF

In a redundant VPN OSPF setup, the customer connects to the Telenor Connexion sites using two IPsec VPN tunnels and two end-points at the customer data center. The primary VPN tunnel connects Telenor Connexion Site 1 with customer end-point 1 and the secondary VPN tunnel connects Telenor Connexion Site 2 with customer end-point 2, see Figure 14.

Figure 14. Primary path for traffic when using redundant VPN using OSPF.

If the primary VPN tunnel between Site 1 and customer end-point 1 fails, OSPF redirects the traffic in the Telenor Connexion Backbone, via the secondary VPN tunnel, to the customer end-point 2, see Figure 15.


Figure 15. Traffic path in case of Primary VPN tunnel failure using OSPF.

If Site 1 fails, OSPF redirects the traffic over Site 2 through the secondary VPN tunnel, see Figure 16.

Figure 16. Traffic path in case of Site 1 failure using OSPF.

1.4.7 Redundant VPN with BGP

In a redundant VPN BPG setup, the customer connects to the Telenor Connexion sites using two IPsec VPN tunnels and two end-points at the customer data center. The primary VPN tunnel connects Telenor Connexion Site 1 with customer end-point 1 and the secondary VPN tunnel connects Telenor Connexion Site 2 with customer end-point 2, see Figure 17.

Figure 17. Primary path for traffic when using redundant VPN using BGP.

If the primary VPN tunnel between Site 1 and customer end-point 1 fails, BGP redirects the traffic in the Telenor Connexion Backbone via the secondary VPN tunnel to the customer end-point 2, see Figure 18.

Figure 18. Traffic path in case of Primary VPN tunnel failure using BGP.

If Site 1 fails, BGP redirects the traffic over Site 2 through the secondary VPN tunnel to customer end- point 2, see Figure 19.

Figure 19. Traffic path in case of Site 1 failure using BGP.

2. SETUP

VPN is only provided if the customer has a Private Access Point Name (APN). By default, one private APN is included as a part of the VPN setup. Telenor Connexion can provide access to customer RADIUS server, customer DHCP server and customer DNS.

2.1 Requirements using Telenor Connexion provided End-Point

Telenor Connexion ships pre-configured routers to the customer for installation that are ready to be plugged in and used as end-points in the customer data center. The router(s) needs to have power, LAN and WAN connection. A 1U rack space is needed for the router.

2.2 Requirements using Customer Provided End-Point

The customer provided end-points need to be analyzed by Telenor Connexion to make sure the equipment can handle the required capacity.

2.2.1 Static Routing

In static routing Dead Peer Detection (DPD) is used to verify that the IPsec peer is active. For static routing the following routing protocols can be used.

  • Hot Standby Router Protocol (HSRP)
  • Virtual Router Redundancy Protocol (VRRP)

2.2.2 Redundant VPN Setup

In a redundant solution, the two end-points in the customer data centers need to communicate with each other. A default gateway is needed in order to communicate, and additional intra-site communication may be needed depending on what VPN routing protocol is being used.

Telenor Connexion recommends that the customer follows at least one installation certification for the customer data center, for example, ISO 9001 [1] or ISO 20000 [2]. According to the regulations, the two customer end-points should be placed in different physical locations.

For both OSPF and BGP Telenor Connexion can provide IP addresses on a /30 network for the VPN tunnels, but customer IP addresses are supported as well.

2.2.3 BGP VPN Tunnel

The customer needs to provide Telenor Connexion with the BGP AS number.

2.2.4 Customer Intra-Site Connectivity

The customer is responsible for choosing and setting up the intra-site connectivity. Telenor Connexion needs to know what intra-site connectivity is used.

The customer can setup intra-site connectivity with one of the options:

  • Hot Standby Router Protocol
  • Virtual Router Redundancy Protocol
  • Layer 3 Tunneling Protocol (L3TP)
  • OSPF or BGP to customer LAN

2.3 Combination with other products

Redundant VPN with Telenor Connexion provided end-point can be combined with SLA for Redundant VPN.

3. REFERENCES

References marked with an asterisk (*) are not publically published. If a document is not publically accessible, the document can be requested from Telenor Connexion.

[1] “ISO 9001:2015 Quality management systems – Requirements,” [Online]. Available:

http://www.iso.org/iso/catalogue_detail?csnumber=62085. [Accessed 22 02 2017].

[2] “ISO/IEC 20000-1:2011 Information technology – Service management,” [Online]. Available:

http://www.iso.org/iso/catalogue_detail?csnumber=51986. [Accessed 22 02 2017].